Revision as of 05:37, 14 September 2010 by Thomas Herlea (talk | contribs) ("Sptember" -> "September"; "Location is hosted by" -> "Hosted by")

Jump to: navigation, search

OWASP Belgium

Welcome to the Belgium chapter homepage. The chapter leader is Sebastien Deleersnyder
Click here to join the local chapter mailing list.


OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.


Btn donate SM.gif to this chapter or become a local chapter supporter.

Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? Join Now BlueIcon.JPG

Local News

The OWASP Top 10 presentation from is now online for download.

Next chapter meeting is on September 21st in Leuven with Samy (is my hero) Kamkar and Justin Searle.

Structural Sponsors 2010

OWASP Member affiliated to the Belgium chapter:


OWASP Belgium thanks its structural chapter supporters for 2010 and the OWASP BeNeLux Day 2010:

50px-F5_50px.jpg Zionsecurity.jpg Rad_logo.gif SAIT_Zenitel.jpg

If you want to support our chapter, please contact Seba Deleersnyder


Chapter Meetings

Next Meeting (September 21st 2010) in Leuven


September 21st 2010 18h-20h


Hosted by Distrinet Research Group (K.U.Leuven).

Department of Computer Science (auditorium 00.225)
Celestijnenlaan 200 A
3001 Heverlee



The agenda:

  • 18h00 - 18h30: Welcome & Refreshments
  • 18h30 - 18h45: OWASP Update (by Sebastien Deleersnyder, SAIT Zenitel, OWASP Board)
  • 18h45 - 19h45: Attacking and Defending the Grid (by Justin Searle)
The Smart Grid brings greater benefits for utilities and customer alike, however these benefits come at a cost from a security perspective. This presentation will explore how the increased functionality and complexity also increases the Smart Grid's attack surface, or in other words, increases the ways attackers can compromise the Smart Grid's new infrastructures, systems, and business models. We'll discuss several specific attack avenues against the Smart Grid and recommendations for mitigating or blocking these attacks.
Justin Searle, a Senior Security Analyst with InGuardians, specializing in the penetration testing of web applications, networks, and embedded devices. Justin currently leads the Smart Grid Security Architecture group of the CSWG (Cyber Security Work Group) for NIST (National Institute of Standards and Technologies) and is a member of ASAP-SG (Advanced Security Acceleration Project for the Smart Grid). Previously, Justin served as JetBlue Airway’s IT Security Architect, and has taught courses in hacking techniques, forensics, networking, and intrusion detection for multiple universities and corporations. Justin has presented at top security conferences including DEFCON, ToorCon, ShmooCon, and SANS. Justin co-leads prominent open source projects including the Samurai Web Testing Framework, Middler, Yokoso!, and Laudnum. Justin has an MBA in International Technology and is CISSP and SANS GIAC-certified in incident handling and hacker techniques (GCIH) and intrusion analysis (GCIA).
  • 19h45 - 20h00: Break
  • 20h00 - 21h00: How I Met Your Girlfriend (by Samy Kampkar)
The discovery and execution of entirely new classes of attacks executed from the Web in order to meet your girlfriend. This includes newly discovered attacks including HTML5 client-side XSS (without XSS hitting the server!), PHP session hijacking and weak random numbers (accurately guessing PHP session cookies), browser protocol confusion (turning a browser into an SMTP server), firewall and NAT penetration via Javascript (turning your router against you), remote iPhone Google Maps hijacking (iPhone penetration combined with HTTP man-in-the-middle), extracting extremely accurate geolocation information from a Web browser (not using IP geolocation), and more.
Samy Kamkar is best known for the Samy worm, the first XSS worm, infecting over one million users on MySpace in less than 24 hours. A co-founder of Fonality, Inc., an IP PBX company, Samy previously led the development of all top-level domain name server software and systems for Global Domains International (.ws).
In the past 10 years, Samy has focused on evolutionary and genetic algorithmic software development, Voice over IP software development, automated security and vulnerability research in network security, reverse engineering, and network gaming. When not strapped behind the Matrix, Samy can be found stunt driving, getting involved in local community service projects, and continuing his focus on staying out of jail.


Please send a mail to Belgium 'at' if you plan to attend.

Previous Meeting (June 16th 2010) in Brussels


June 16th 2010 18h-20h


Location was sponsored by Zenitel Belgium.

Location: Zenitel Belgium, Z.1. Research Park 110 – 1731 Zellik, Belgium (same building as


The agenda:

  • 18h00 - 18h30: Welcome & Refreshments
  • 18h30 - 18h45: OWASP Update (by Sebastien Deleersnyder, Zenitel, OWASP Board)
  • 18h45 - 20h00: Advanced SQL Injection (by Joe McCray, Learn Security Online)
SQL Injection is a vulnerability that is often missed by web application security scanners, and it's a vulnerability that is often rated as NOT exploitable by security testers when it actually can be exploited. Advanced SQL Injection is a presentation geared toward showing security professionals advanced exploitation techniques for situations when you must prove to the customer the extent of compromise that is possible.
The key areas are:
  • Re-Enabling stored procedures
  • Old and new ways of obtaining an interactive command-shell
  • Data Exfiltration via DNS
  • IDS Evasion & Web Application Firewall Bypass
  • Privilege Escalation
Joe McCray has 10 years of experience in the security industry with a diverse background that includes network and web application penetration testing, forensics, training, and regulatory compliance. Joe is a frequent presenter at security conferences, and has taught Ethical Hacking and Web Application Security at Johns Hopkins University (JHU), University of Maryland Baltimore College (UMBC), and several other technical training centers across the country.

Previous Meeting (June 1st 2010) in Brussels


June 1st 2010 18h-21h


Location is sponsored by Cisco Belgium.

Location: Cisco, Pegasus Park, De Kleetlaan, 6A, B-1831 Diegem. See directions.


The agenda:

  • 18h00 - 18h30: Welcome & Refreshments
  • 18h30 - 18h45: OWASP Update (by Sebastien Deleersnyder, Zenitel, OWASP Board)
  • 19h00 - 20h00: The Belgian e-ID: hacker vs developer (by Erwin Geirnaert and Frank Cornelis)
Presentation + discussion: What can go wrong when implementing the Belgian eID in an unsecure way to authenticate a user? We will discuss the security issues, the problems with trust, SSL and some examples of a bad implementation. We will demo how to use WebScarab to intercept and change authentication data on the fly, impersonating somebody else.
To help developers to implement it correctly, we will give away best practices and a road map to do it properly using the new eID applet with entity authentication.
This presentation will be given by Frank Cornelis, Developer @ Fedict, who is responsible for the new eID applet and Erwin Geirnaert, co-founder & white-hat hacker @ ZION SECURITY, who has reviewed unsecure implementations of eID authentication
  • 20h00 - 20h15: Break
  • 20h15 - 21h15: Analyzing the Accuracy Of Web Application Scanners (by Larry Suto)
Presentation + discussion: Analyzing the Accuracy Of Web Application Scanners
This talk summarizes my recent study related to benchmarking a set of web application scanners against target test sites constructed by the scanner vendors themselves. I will review the methodology and some of the challenges that were faced as the tests were conducted. I have received some interesting feedback from the vendors and the security community. This new information will be integrated into the presentation. The controversial nature of "Point and Shoot" and "Trained" scanning will be addressed and scanning issues related to cloud computing/SaaS will be covered. The presentation will cover some thoughts on open source scanners such as Skipfish and W3AF. Finally I will go into the ideas for another round of testing and the possibility of soliciting target apps from the community.
Larry Suto is an application security consultant based in the San Francisco Bay Area. He is focused on software security analysis and the testing the effectiveness of software security tools.

Previous Meeting (Feb-1-2010) in Brussels


Monday, February 1th, 2010 (18h00pm-21h00pm), together with ISSA Belgium.


Location sponsored by Ernst&Young's Information Security Team.
address: De Kleetlaan 2, 1831 Diegem (Route + Google Maps)


The agenda:

Presentation + discussion: GreenSQL, an open source database security solution, is available for three years. With the release of version 1.2 GreenSQL started providing support to PostgreSQL besides MySQL. GreenSQL provides a reverse proxy solution to SQL statements and during the reverse proxy process provides several security mechanisms. The lecture will focus on the latest version of GreenSQL and the solution for SQL injection and other attacks.
Yuli Stremovsky is a database security expert. He is responsible for design, development of novel database protection solution - GreenSQL. He is an experienced security consultant that worked for a number of leading financial institutions, telecom and health service companies. In the past, he was also involved in software development in a number of start-up companies including development of the security products.
Presentation + discussion:
  • Mobile Platforms
  • Situation 2005-2009
  • Current threats
  • Case: The Ikee / Duh botnet on jailbroken iPhones
  • Case: Android banking trojans
  • Future scenarios
  • How to fight content security problems in mobile world?
Mikko Hypponen is the Chief Research Officer for F-Secure. He has worked with F-Secure since 1991 and has led his team through the biggest malware outbreaks in history. Mr. Hypponen has assisted law enforcment in USA, Europe and Asia on cybercrime cases. He has written for magazines such as Scientific American, Foreign Policy and Virus Bulletin.


There are only 100 seats available (first register, first serve)! Please send a mail to Belgium 'at' if you plan to attend.

Past Events

Belgium OWASP Chapter Leaders

The BeLux Chapter is supported by the following board:

  • Erwin Geirnaert, Zion Security
  • Philippe Bogaerts, F5
  • André Mariën,
  • Lieven Desmet, K.U.Leuven
  • Joël Quinet, Telindus
  • Sebastien Deleersnyder, Zenitel
  • Bart De Win, Ascure
Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects.